Self-provisioning access control

ABSTRACT

A processor-implemented access control method includes receiving credential and policy directory information to configure an access controller to allow self-provisioning of the access controller through periodic, automated query of the directory by the access controller; acquiring from the directory, credential and policy information for one or more individuals who may require access; storing in a local cache the acquired credential and policy information; receiving an access request to allow an individual access; comparing the access request to the credential and policy information in the cache; and when the comparison indicates a match, granting the individual access.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/855,543, filed Apr. 2, 2013, the contents of which is incorporatedherein by reference in its entirety.

BACKGROUND

Access control systems may limit entry into enclosed areas such asbuildings, rooms within buildings, or fenced-in regions to only thosewho have permission to enter. Current access control systems includeaccess card readers at building entry points (i.e., doors). Individualswho have permission to enter the building are provided an access controlcard that can be read by the access card readers. An access card readerobtains information from the access card and communicates theinformation to a control panel. The control panel determines whether thedoor should be unlocked. If the door should be unlocked (i.e., theaccess card is associated with an individual who has permission toenter), the control panel sends a signal to a door locking mechanismcausing the mechanism to unlock.

SUMMARY

A processor-implemented access control method for controlling access toan enclosed area includes receiving credential and policy directoryinformation to configure an access controller to allow self-provisioningof the access controller through periodic, automated query of thedirectory by the access controller; acquiring from the directorycredential and policy information for one or more individuals who mayrequire access to the enclosed area; storing in a local cache theacquired credential and policy information; receiving an access requestto allow an individual access the enclosed area; comparing the accessrequest to the credential and policy information in the cache; and, whenthe comparison indicates a match, granting the individual access to theenclosed area.

A system for controlling access by individuals to an area includes aprocessor and an access controller embodied on a computer-readablestorage medium, the access controller including machine instructionsthat when executed by the processor causes the processor to configurethe access controller to receive: credential and policy directoryinformation from a remote directory, to allow self-provisioning of theaccess controller through periodic, automated query of the directory bythe access controller; and credential and policy information from thedirectory for one or more individuals who may require access to thearea, store in a local cache, the received acquired credential andpolicy information of the directory and the credential and policyinformation of the one or more individuals, receive an access request toallow an individual access to the enclosed area; compare the accessrequest to the credential and policy information in the cache; and whenthe comparison indicates a match, grant the individual access to theenclosed area.

A processor-implemented method for configuring an access controller tocontrol access by an individual to an asset includes receiving acredentials and policy directory address from which the processorobtains credential and policy information for individuals requiringaccess to the asset; receiving a destination address for the credentialand policy information; establishing a periodicity for acquiring thecredential and policy information; acquiring the credential and policyinformation for individuals requiring access to the asset; andautomatically updating the credential and policy information forindividuals requiring access to the asset at the establishedperiodicity.

A self-provisioning/self-reporting access controller includes means forstoring machine instructions for controlling access to an asset, andmeans for executing the machine instructions. The means for executingincludes means for self-provisioning the means for executing the machineinstructions, means for granting/denying access to the asset, and meansfor reporting events related to the granting and denying of access tothe asset.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description refers to the following figures in which likenumerals refer to like items, and in which:

FIGS. 1A-1C illustrate an example access control system and selectcomponents thereof;

FIG. 2 illustrates elements and components of an example accesscontroller used with the system of FIGS. 1A-1C;

FIG. 3 illustrates an example interface enabled through the accesscontroller of FIG. 2;

FIG. 4 illustrates an example access control engine of the accesscontroller of FIG. 2; and

FIGS. 5A-5C are flowcharts illustrating example methods of the system ofFIGS. 1A-1C and the access controller of FIG. 2.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

Ensuring that only authorized individuals access protected or securedareas may be crucially important (e.g., at an airport, a militaryinstallation, office building etc.). Protected or secured areas may bedefined by physical doors (for example, doors through which a human mayenter) and walls, or may be virtually defined in other ways. Forinstance, a protected area may be defined as one in which unauthorizedentry causes a detector to signal intrusion and possibly send a signalor sound an alarm if authorization is not provided.

Access control systems may limit entry into protected or secured areasof buildings, rooms within buildings, or fenced-in regions, or assetsand resources therein, to only those individuals who have permission toenter.

Thus, an access control system, fundamentally, should identify theindividual attempting to enter the secured area or access the assets andverify the individual is currently authorized entry or access. Theherein disclosed access control systems, devices, and methods mayencompass any access technology, including:

(1) using PINs and passwords that can be entered at a key pad associatedwith the access point (e.g., a door);

(2) using biometrics that can be entered by individuals via specialreaders associated with the door;

(3) using traditional signatures, provided by the individuals via aspecial pad associated with the door;

(4) using smart cards or contactless cards (e.g., sending a PIN to thedoor via a special reader/receiver);

(5) using a digital certificate; e.g., one stored in a smart card,contactless card or a wireless device, that can “communicate to thedoor” via a card reader or other receiver; and

(6) using a physical key inserted into a door lock; such a key/lockmechanism may include a special encoding on the key that is read in thelock.

The above list of access technologies is not meant to be exhaustive.Furthermore, some facilities may use combinations of these technologies.The technologies may be used in any environment, including in governmentfacilities, private businesses, public facilities, and in anindividual's home.

As a further explanation of some of the above access technologies, somecurrent access control systems use doors equipped with an entry devicesuch as a key pad, through which an individual enters a PIN or password.The key pad has an attached memory or elementary processor in which alist of valid PINs/passwords is stored, so that the PIN/password may bechecked to determine whether it still is valid. If the PIN/password isvalid, the door opens; otherwise the door remains locked. Suchelementary access control mechanisms offer minimum security. Forexample, a terminated employee may no longer be authorized to go througha door; however, a terminated employee who remembers his PIN still maybe able to open the door. Therefore, it would be necessary to“deprogram” the PIN of terminated employees. Such a procedure, however,may be very cumbersome and costly: a facility may have hundreds ofdoors, and deprograming all such doors whenever an employee leaves or isterminated may be impractical.

Some current card-based access control systems use radio frequencyidentification (RFID) technology. The access card reader includes anRFID transceiver, and the access card includes an RFID tag ortransponder. The RFID transceiver transmits a radio frequency (RF) queryto the card as the card passes over RFID transceiver. The RF transponderincludes a silicon chip and an antenna that enables the card to receiveand respond to the RF query. The response is typically an RF signal thatincludes a pre-programmed identification (ID) number. The card readerreceives the signal and transmits the ID number to a control panel usinga wired or wireless connection. Current card readers may perform somebasic formatting of the identification data prior to sending the data tothe control panel, but generally are unable to perform higher levelfunctions.

Current access controllers rely on proprietary protocols and software toprovision/de-provision credentials, provide configuration information,and report transactions. The proprietary nature of these current accesscontrollers limits a customer's options with respect to implementingchanges, adding new features, and generally moving to other technologysolutions once a specific manufacturer's products have been selected andinstalled. As access controllers move away from RS232/485 communicationsand onto a TCP/IP network communication medium, proprietary protocolsare much less acceptable by the customer.

Furthermore, as physical security systems increase their reliance of anorganization's information technology (IT) infrastructure, ITdepartments may look for options for reducing costs and time to deploy.This requires systems to follow standards both in installation andcommunications. The additional benefit provides interoperability betweenlogical and physical security systems using standards and commercial offthe shelf products.

To overcome these and other problems endemic in current access controlsystems, disclosed here are self-provisioning access controllers andrelated access control systems, and methods of their use. The hereindisclosed access controllers, systems, and methods may be used forcontrolling physical access to buildings, structures, and areas. Theherein disclosed access controllers, systems, and methods providedistributed access control policies, procedures, and credentials on acomputer network while using an existing information technology (IT)infrastructure.

In addition to provisioning/de-provisioning access to assets such asphysical areas, the access controllers, systems and methods disclosedherein also may provision a user/credential identity store with logicalprivileges to provide access to logical assets or resources such asfiles, computing resources, or other computing systems. Furthermore,access to the logical assets or resources may vary depending on thephysical location of the individual requesting such access.

The access controllers, control systems, and control methods aredescribed below with reference to the following terms:

Access controller—a device programmed, or the program itself, to makeaccess decisions based on a cached database supplied by an identitystore. Access requests are made via a sensing device (card reader, pushbutton, etc.); authorization is checked either locally or by referringto a remote identity store for processing. If an access request isapproved, output and input devices/systems (e.g., entry doors) aremanipulated to allow access.

Door controller—a device in communication with the access controller andphysically (e.g., wired or wireless) attached to a credential reader andassociated input and output hardware. The door controller sends changesof state and credential reads to the access controller, waits for anauthorization response from the access controller, and commands attachedinput, output and credential readers according to the authorizationresponse.

Browser—a software program or firmware used to access and displayInternet Web pages; current browsers include Internet Explorer, GoogleChrome, Mozilla Firefox, and Apple Safari.

Identity store (or directory)—a database including relational,hierarchical, networked or other architectures that includesauthorization and authentication data for individuals, credentials,resources, and group memberships. The identity store may reside at afacility owned and operated by an entity different from the entityowning and/or operating the protected area.

Event aggregation—the ability of the access controller to store andforward, to multiple systems, events that occur or are generated in thecourse of operating the access controller.

In an embodiment, the access controller is a software applicationcapable of executing on a commercial off the shelf computer running, forexample, the Linux operating system. The computer may be designed fordesktop, rack mountable, cloud based or an embedded platform such as anaccess controller.

The computer provides the necessary processor, storage and connectivityfor the software application. All required software is loaded onto thecomputer without requiring any installation of software onto any othercomputer system.

The access controller provides an improved way to maintain credentialsand associated access privileges and to transmit in real time eventsusing an existing information technology (IT) infrastructure anddatabases without the need to access or otherwise use proprietarycommunication protocols.

The access controller, as a self-provisioning access device, may obtainand maintain a cached list of credentials and associated accessprivileges; these data allow the access controller to make on-the-spot,real-time access decisions without communication to any other accesscontrol system(s). The cache of credentials and associated accessprivileges may be acquired from one or more host systems periodically,including on a schedule, in real time, or as a complete snapshot. Forexample, the access controller may, in effect, continuously access ahost system directory of access credentials and associated accessprivileges, and download some of all of the credentials and privileges.In an aspect, the access controller downloads these data for a selectnumber of individuals. An individual for whom the data are downloadedmay be uniquely identified, identified by group association, oridentified by assigned roles(s).

The access controller may be used in either real-time, on demand, or ona schedule, to send real time events to a logging and monitoring deviceor system. In an aspect, an event may be an access door unlocking orlocking, an access door open or closed signal (e.g., from a limit switchor position sensor, or based on a logic routine), an access door faultor unusual operation (open for a time exceeding a variable threshold),etc. The events may be sent in any number of formats, including XML,directly into a relational database or system logging facility of anynumber of remote devices or systems. If connectivity is lost, the accesscontroller may buffer the events and may continue event transmissionwhen connectivity is re-established.

The access controller may contain or provide a browser-accessible userinterface. The interface provides an access control system operator theability to configure any number of access points (e.g., doors) and theiroperation, and associated mapping to individuals and/or groups (on anindividual basis, group basis, and/or defined role basis) to conveyaccess privileges. With the same interface, the operator may configurethe access controller to communicate with credential sources, includingcredential sources implemented in or using a relational database, adirectory or hierarchical data store, or flat files such ascomma-separated value (CSV) file, or any common ASCII file.

With the interface, the operator selects and configures a type of datasynchronization including timed intervals, scheduled, on-demand, andreal-time. The synchronization methods may include subscription, inwhich a host access credentials and policy system “pushes” informationchanges to the access controller; audit trail, in which the accesscontroller requests information updates; or data modification triggers,in which code written into the host system detects information changesand sends the changed information to the access controller. Thesubscription method may require a persistent, always-on connectionbetween the host system and the access controller while the otherexample two methods may use a transient connection.

The access controller initiates connection(s) to the sources andretrieves the credential and policy information to build thecontroller's local cache. Each individual may have a unique identifierto collate the individual's information from multiple sources into asingle record. Once transferred to the local cache, the information maybe used in access decisions as credentials are presented at accesscontrol points.

The access controller may log events, and the logs may be configuredwith the user interface to establish any number of devices, services,and systems as event recipients. The access controller may send theevents to a remote monitoring service in any number of formatsincluding, for example, SNMP, XML via direct socket connection (GSM,LAN, WAN, WiFi), Syslog, and through a serial port.

The access controller may be used to assign priorities to events. Theevent priorities may determine which events, and in what order, thoseevents are sent to the remote monitoring service.

FIGS. 1A-C illustrate an example access control system and selectcomponents thereof In FIG. 1A, access control system 10 includes doorsystems 20, access controllers 100, credential and policy directory 200and event monitoring workstation 300, all of which are intended to limitor control access to an area or volume. The controllers 100 communicate110 with the directory 200 and workstation 300 using, for example,TCP/IP backbone 50. The TCP/IP backbone 50 may be wired or wireless, ora combination of wired and wireless. The backbone 50 may includeelements of a local area network (LAN) and a wide area network (WAN),including the Internet. Communications 110 between an access controller100 and the directory 200, and between the controller 100 and theworkstation 300 may be secure communications (e.g., HTTPScommunications).

FIG. 1B illustrates selected components of the access system 10 to limitor control access by individuals to enclosed area 12. As shown, theenclosed area 12 is a six-sided structure with an entry door system 20and an exit door system 20. The door systems 20 are described withreference to FIGS. 1A and 1C. The door systems 20 are intended fornormal human access. Other access points (e.g., windows) may exist, andtheir operation may be monitored, alarmed, and controlled, but suchaccess points are not described further herein.

The enclosed area 12 includes a computing platform 101 on which areimplemented access control features that control, monitor, and report onoperation of the door systems 20. The computing platform 101 may befixed or mobile. The computing platform 101 is shown inside the enclosedarea 12 but need not be. In executing its control, monitoring, andreporting functions, the computing platform 101 with its access controlfeatures may communicate external to the enclosed area 12 by way ofnetwork 50 with the (remote) directory 200 and with (remote) eventmonitoring workstation 300. The network 50 may be wired or wireless, andmay provide for secure communications and signaling in addition tonon-secure communications and signaling.

The enclosed area 12 may be a room in a building, the building itself,or any other structure. The enclosed area 12 is not limited to asix-sided configuration. The enclosed area 12 could be an open structure(e.g., a sports stadium), a fenced-in area (e.g., an area surrounding arunway), or an area having an “invisible” fence or “virtual walls.” Theenclosed area 12 may be geographically fixed (e.g., a building, a roomin a building) or mobile (e.g., a trailer, airplane, ship, orcontainer).

The enclosed area 12 may be used to control access to government orbusiness-classified documents or devices contained therein, access tocomputer systems contained therein, access to individuals, access tovaluable items such as rare paintings, jewelry, etc., and access todangerous materials or systems The enclosed are 12 may be a safe orvault at a bank, a control room for a nuclear reactor, a hangar for aclassified, new-technology airplane, or a passenger gate at an airport.

In a mobile configuration, the enclosed area 12 may be used, forexample, in field operations to quickly establish a secure facilityanywhere in the world. The security of such a mobile enclosed area 12will be apparent from the discussion that follows. Moreover, the mobileenclosed area may be used for very different operations, with differentindividuals able to access the mobile enclosed area 12, depending on itsintended use, by simple configurations changes implemented through auser interface, as described below. Thus, the system 10 provides notonly high levels of security, access control, event monitoring andreporting, but also the flexibility to quickly adapt the mobile enclosedarea 12 to any operation or mission, anywhere in the world, for whichaccess control is desired.

Returning to FIG. 1A, the access controllers 100 also may communicatebetween and among themselves using peer-to-peer communications 120. Suchpeer-to-peer communications 120 may be enabled by use of a secure LAN,for example. Alternately, the peer-to-peer communications 120 may bewireless secure communications. The peer-to-peer communications 120 alsomay follow the TCP/IP protocol.

The peer-to-peer communications 120 allow an access controller 100 tosend and receive access status information and events to and from theother access controllers used in the enclosed area 12. Thus, if a doorsystem 20 is inoperative, its associated access controller 100 mayprovide this information to the other access controllers 100. Thepeer-to-peer communications 120 allow one access controller 100 to actas a parent (master) access controller and the remaining accesscontrollers 100 to act as child (subservient) access controllers. Inthis aspect, information and configurations may be stored or implementedon the parent access controller and then may be replicated on the childaccess controllers.

Finally, the access controller 100 may communicate with the door systems20 using wired or wireless secure communications 130.

The door systems 20, which are described in more detail with referenceto FIG. 1B, control normal human access to an enclosed area 12. In theexample of FIG. 1A, six door systems 20 are illustrated. In an aspect,the six door systems 20 provide three enclosed area access points, andthe door systems 20 operate in pairs; one door system 20 of a pairallows entry into the enclosed area 12 and the other door system 20 ofthe pair allows egress from the enclosed area 12. In another aspect, asingle door system 20 may be used for both entry to and egress from theenclosed area 12.

FIG. 1A shows each door system pair in communication with a separateaccess controller 100. However, other combinations of controllers 100and door systems 20 may be implemented in the system 10. For example, asingle controller 100 may control all door systems 20 for the enclosedarea 12.

The credential & policy directory 200 shown in FIG. 1A may represent oneor many actual directories. The directories may be located remotely fromthe enclosed area 12. The directories may be operated by entities otherthan the operator of the enclosed area 12. For example, the enclosedarea 12 may be a sensitive compartmented information facility (SCIF) fora government contractor, and the directory 200 may represent a directoryfor the government contractor and a directory for a government agency.

A directory 200 may include identification information (name, age,physical characteristics, photograph) for individuals who may be allowedaccess to the enclosed area 12, the identification credentials of theindividuals (PIN/password, RFID tag, certificate), and otherinformation.

The event monitoring workstation 300 may be implemented by the sameentity as that of the enclosed area 12. Alternately, the eventmonitoring workstation 300 may be implemented by and at an entityseparate and apart from that of the enclosed area 12.

The event monitoring workstation 300 may receive event data from theaccess controllers 100.

FIG. 1C illustrates an example door system that may be implemented inthe system of FIG. 1A. In FIG. 1C, door system 20 is shown incommunication with access controller 100 over communication path 110.The door system 20 includes access door 22, door locking mechanism 24,door controller 26, and credential reader 28. The door 22 may be anydoor that allows individuals to enter or leave the enclosed area. Thedoor 22 may include a position sensor (e.g., a limit switch—not shown)that indicates when the door 22 is not fully closed. The position sensormay send a not-fully-closed signal over signal path 21 to the doorcontroller 26. The not-fully-closed signal may be sent continuously orperiodically, and may not be sent until after a predefined time hasexpired.

The locking mechanism includes a remotely operated electro-mechanicallocking element (not shown) such as a dead bolt that is positioned(locked or unlocked) in response to an electrical signal sent oversignal path 21 from the door controller 26.

The door controller 26 receives credential information over signal path29 from credential reader 28 and passes the information to the accesscontroller 100 over signal path 130. The door controller 26 receiveslock/unlock signals from access controller over signal path 130. Thedoor controller 26 sends lock mechanism lock/unlock signals over signalpath 21 to locking mechanism 24.

The credential reader 28 receives credential information 40 for anindividual 42. The credential information 40 may be encoded in an RFIDchip, a credential on a smart card, a PIN/password input using a keypad, biometric data such as fingerprint and retina scan data, forexample.

The door system 20 operates based on access request signals sent to theaccess controller 100 and access authorization signals received, inresponse, from the access controller 100. The door system 20 mayincorporate an auto lock feature that activates (locks) the door 22within a specified time after the door 22 is opened and then shut, afteran unlock signal has been sent to the locking mechanism 24 but the door22 not opened within a specified time, or under other conditions. Theauto lock logic may be implemented in the door controller 26 or thelocking mechanism 24.

The door system 20 may send event signals to the event monitoring system300 by way of the access controller 100. Such signals include door open,door closed, locking mechanism locked and locking mechanism unlocked. Asnoted above, the signals may originate from limit switches in the doorsystem 20.

In an aspect, a door system 20 may be used only for entry and a separatedoor system 20 may be used only for egress.

However configured, the door systems 20 may indicate when an individual42 is in the enclosed area 12 and when the individual 42 has exited theenclosed area 12, based on information obtained by reading credentialinformation 40 of the individual 42 on entry and exit, respectively.These signals may be used to prevent reentry without an interveningexit, for example. The signals (or their absence) also may be used toprevent access to areas and systems within the enclosed area. Forexample, the individual 42 may not be allowed to log onto his computerin the enclosed area 12 in the absence of an entry signal originatingfrom one of the door systems 20 of the enclosed area 12. Thus, theaccess controller and its implemented security functions may be a firststep in a cascading series of access operations the individual may beexposed to.

The door systems 20 may incorporate various alarms such as for a proppedopen door 22, a stuck unlocked locking mechanism 24, and otherindications of breach or fault.

FIGS. 1A-1C describe an access control system 10 primarily as applyingto physical access to an area such as a building or a room in thebuilding. However, the access control system 10, and select componentsthereof, as disclosed above, may be used to control access to anorganization's assets and resources, including logical resources. Forexample, the self-provisioning access controller 100 may be used tocontrol access to an organization's computer system and to the files(i.e., logical resources) contained on the computer system. Moreover,the access controller 100 may self-provision to provide individuals withstaged access to the logical resources. For example, an individual maybe allowed access to files 1-10 in a first enclosed area, and access tofiles 1-20 in a second, and more secure, enclosed area. In this example,the first enclosed area may be a building and the second enclosed areamay be a SCIF within the building. Thus, the self-provisioning accesscontroller 100 may establish very fine control over access privilegesfor individuals, including physical and logical access, and may adjustthe logical access based on the physical location of the individual asindicated by a read of the individual's credentials.

FIG. 2 illustrates elements and components of an example accesscontroller 100 used with the system 10 of FIGS. 1A-1C. In FIG. 2, accesscontroller 100 is shown implemented on a computing platform 101. Thecomputing platform 101 may be any computing device including amain-frame computer, a desktop computer, a laptop computer or tablet,and a smartphone, for example. The access controller 100 may beimplemented as software, hardware, or firmware, or any combination ofthe three. When implemented in software, the access controller 100 maybe stored in a non-transitory computer-readable storage medium.

The computing platform 101 may employ the Linux operating system.Alternately, other operating systems may be used. The computing platform101 includes data store 102, which in turn includes local cache 103,which may be used to locally store credential and access policyinformation for individuals such as the individual 42, non-transitorycomputer-readable storage medium 104 on which may be stored the accesscontroller 100, and event buffer 107, which may temporarily store eventspending transmission to the event monitoring workstation 300. Thecomputing platform further includes browser 105, processor 106, andmemory 108. The processor 106 may load programs for execution, includingthe access controller 100, from the data store 102 into memory 108.

The access controller 100 communicates with local cache 103 and, usingbrowser 105, directories such as the directory 200 and other computingdevices such as the event monitoring workstation 300. However,communications with the directory 200 and workstation 300 may be byother means including over a dedicated, local area network.

The access controller 100 includes interface engine 150 and accesscontrol engine 190. The interface engine 150 provides user interface 160(see FIG. 3), which may be employed by an operator (human) of the accesscontrol system 10 to establish self-provisioning features for and eventreporting by the access controller 100, as described in detail withrespect to FIG. 3.

The access control engine 190 includes logic to communicate with thedirectory 200 to self-provision the cache 103, to operate door systems20 based on information contained in the self-provisioned cache 103. Theaccess control engine 190 includes logic to log events and report theevents to event monitor workstation 300. The logic may enable eventaggregation where the access controller 100 stores and reports events tomultiple destinations. The access control engine 190 is described indetail with respect to FIG. 4.

FIG. 3 illustrates an example user interface 160 enabled through theaccess controller 100 of FIG. 2. User interface 160 provides theoperator the ability to configure and control the operation of anynumber of door systems 20 for the enclosed area 12. The user interface160 allows the operator to create mappings of authorized individuals togroups and to convey access privileges based on individual identities,group memberships, and assigned roles within an organization. With thesame interface 160, the operator may configure the access controller 100to communicate with credential sources, such as the directory 200,including any relational database, directory or hierarchical data store,or with flat files such as CSV or any common ASCII file.

As shown in FIG. 3, the example user interface 160 includes accesswindow 170 for information related to individuals, and event window 180for information related to events. Individual access window 170 includesdirectory address window 171, in which the operator enters the address(e.g., a URL) of the directory 200; individual name window 172, in whichan individual's name may be entered or may be listed in a pull-downmenu; an affiliation window 173 in which the individual's organizationmay be entered; a group window 174 in which groups to which theindividual belongs may be entered; role window 175 in which roles ortasks assigned to the individual may be entered; an identificationnumber window 176 in which an assigned, unique identification appears;an access level window 177, which lists the highest level of access ofthe individual; and a synchronization window 178 in which a periodicityfor updating the individuals' access data by reference to the credentialand policy directory 200 may be specified. Some of the windows 171-178may be in the form of pull-down menus. Some windows, such as thesynchronization window 178 may be displayed once and its selected valueapplied to all individuals. The windows 171-178 may appear in theoperator's display one at a time. Once the data are entered, theoperator may be presented with a confirmation page to confirm theselections. Not all windows need to filled out; in one aspect, theoperator may provide the directory address and the individuals' names,and the remaining data are retrieved by the access controller from thedirectory 200. Moreover, the access controller 100 may retrieve orrefresh the data by reference to the directory 200 on a periodic basis,which may be near to real-time or continuous referral. Alternately, thedata may be retrieved at longer intervals, on a schedule, or on-demand,for example. Thus, the access controller 100 is able to self-provisionitself with access control information for individuals who may requireaccess to the enclosed area 12. As noted above, the retrieved data maybe stored in local cache 103, and the access controller 100 refers tothe local cache 103 when making access decisions.

The event window 180 provides a number of data entry windows, which mayfurther include pull-down menus, and which a system operator may use toestablish an initial configuration of the access controller 100 forreporting event to the event monitoring workstation 300. The eventwindow 180 includes event description window 181 in which event names ortitles, brief description, measurement parameters, and other informationmay be entered. For example, the event window 180 may be used to specifya door open event, the identity of the device providing the door openmeasurement, what a door open event means, and the form in which thedoor open event is provided.

The event window 180 further includes an event priority window 182 inwhich the system operator is able to assign priorities to events. Thepriorities may determine the order in which events are sent from theaccess controller 100 to the event monitoring workstation 300. Thus, forexample, an event indicative of an alarm or fault may have a higherpriority than a door open event.

Still further, the event window 180 includes a report periodicity window183 in which the system operator sets a time frame for reporting eventsto the event monitoring workstation 300.

Finally, the event window 180 includes report destination window 184 inwhich the system operator enters the address of the event monitoringworkstation 300. Using the window 184, the system operator is able todesignate many different entities to receive event reports. Differententities may receive different reports. For example, a first eventmonitoring workstation may receive only door open and door close eventswhile a second event monitoring workstation may receive all events. Thedesignated destinations need not belong to the same entity.

FIG. 4 illustrates an example of the access engine 190 in the accesscontroller 100. The access engine 190 includes self-provisioning module191, comparator 195, decision module 196, event detector/logger 197, andevent reporter 198.

In an embodiment in which the system 10 includes many access controllers100, one access controller 100 may be designated as a parent accesscontroller and the other access controllers may be designated as childaccess controllers. The master access controller may acquire data fromthe directory 200 and then, using peer-to-peer communications 120, copythe acquired data to the child access controllers. Alternately, eachaccess controller 100 may separately communicate with the directory 200.

As noted above, one aspect of the herein disclosed access controlsystems, devices, and methods is the ability of the access controller100 to self-provision with access control information acquired from acredentials and policy directory 200, which may be located remotely fromthe access controller 100 and may be owned and operated by an entityother than the entity that owns and operates the access controller 100.The self-provisioning module 191 provides for some of theself-provisioning functionality. The self-provisioning module 191includes communications sub-module 192, cache filler 193, and cachecommunicator 194. The communications sub-module 192 determines which ofpossibly multiple directories 200, the access controller 100 shouldaddress to acquire and update credentials and policy information. Thesub-module 192 then establishes secure (encrypted; e.g., HTTPS)communications with the selected directory 200 and acquires theinformation. Alternately, some information may be acquired usingnon-secure (unencrypted) communications.

The communications sub-module 192 also may establish secure (ornon-secure) communications with the event monitoring workstation 300 tosend event information in real-time, near real-time (e.g., within a fewseconds of the event), on a schedule, on demand from the eventmonitoring workstation 300, or on some other basis.

The communications between the communications sub-module 192 and thedirectory 200 and the event monitoring workstation 300 may be made byway of browser 105. The communications sub-module 192 may perform dataencryption (for outgoing requests/reports) and decryption (for datapackets received from the directory 200 or requests received from theevent monitoring workstation 300).

The cache filler 193 receives the acquired information from thecommunications sub-module 192 and populates the local cache 103accordingly. The cache filer 192 may run error checks on the receivedinformation prior to storing the information in the cache 103.

The cache communicator 194 may retrieve data from the cache 103 for usein other components of the access control engine 190 such as, forexample, to determine whether to unlock a door 22 to grant access to aspecific individual listed in the cache 103. The cache communicator 104may include a search/display feature that allows the system operator tosearch the cache and receive a report (display) of some or all of thecache contents. The report may be provided in the interface 160 and maybe printed.

The comparator 195 receives credential information acquired at the doorsystems 20 and communicates with the cache communicator 194 to retrievethe appropriate information from the cache 103. The acquired credentialinformation and retrieved information are provided to the decisionmodule 196, which determines if the information matches (sufficiently)so as to permit an individual access to the enclosed area 12.

The event detector/logger 197 receives signals from the door systems 20,classifies the signals according to a pre-defined event, formats thedata as a reportable event, and logs the event in event buffer 107. Theevent reporter 198 then reports the logged events to the eventmonitoring workstation 300 by way of the communications sub-module 192and browser 105.

FIGS. 5A-5C are flowcharts illustrating example methods of the system ofFIGS. 1A-1C and the components of FIGS. 2-4.

FIGS. 5A and 5B illustrate example method 500, which begins in block 505when the access controller 100 receives credential and policy directory200 and event monitoring workstation 300 information (e.g., URLs ofthese devices/systems) and the information is used to configure theaccess controller 100. In an access control system having multipleaccess controllers 100, the configuration of a first (parent) accesscontroller may be copied to the remaining (child) access controllers.

In block 510, the directory information is used to acquire credentialand policy information for one or more individuals who may requireaccess to the enclosed area 12.

In block 515, the thus-acquired credential and policy information isloaded into the local cache of each access controller 100.

In block 520, an access controller 100 receives an access request toallow an individual 42 to enter (or leave) the enclosed area 12 (througha specific door 22). The access request may be based on data read fromthe credential 40

In bock 525, information from the received request is used in the accesscontroller 100 to retrieve credential and policy information in thecache 103 for the individual 42, and the retrieved information then iscompared to that contained in the access request.

In block 530, the access controller 100 determines if the comparisonindicates a sufficient match so as to allow the individual 42 access tothe enclosed area 12. For example, each item of information retrievedfrom the cache 103 may be required to match exactly that read from thecertificate 40. In block 530, if a match is determined, the method 500moves to block 535. If no match is determined, the method 500 moves toblock 545.

In block 535, the access controller 100 sends an unlock signal to thedoor system 20. In block 540, the access controller 100 then monitorsoperation of the door system 20 to determine if the door 22 opens (toadmit the individual 42, and then closes and locks).

In block 545, if implemented in the system 10, the access controller 100sends the access request to the directory 200, which uses its owninternal processing to determine if the information received from thecredential 40 matches that in the directory 200 for the individual 42.

In block 550, the access controller 100 receives a signal from thedirectory 200 indicating either a match or no match. If a match isindicated, the method 500 moves to block 540. If no match is indicated,the method 500 moves to block 555 and the access controller 100 deniesaccess to the individual 42.

In block 560, following the operation of block 540, the accesscontroller 100 receives event information from the door system 20,formats the event information into events, and sends the events to theevent monitoring workstation 300.

Following either block 555 or 560, the method 500 moves to block 565 andends.

FIG. 5C is a flowchart illustrating an example aspect of the process ofblock 505 of FIG. 5A, specifically for configuring an access controller100. In FIG. 5C, method 505 begins in block 571 when the system operatoruses the interface 160 to set the directory (origin) address from whichthe access- controller 100 will acquire credential and policyinformation for individuals 42 requiring access to the enclosed area 12.In block 573, the destination address (i.e., the address of the cache103) is set. In block 575, a synchronization time is set. In block 577,the access controller receives an indication of specific individuals 42whose credentials and related information are to be entered into thecache 103.

In block 579, the access controller receives a definition of events tobe monitored by the access controller 100. The events may be pre-definedor may be established and defined by the system operator using, forexample, the interface 160. In block 581, the access controller 100receives the destination address(es) of the event monitor(s) that willreceive the event information. In block 583, the access controller 100receives a required reporting interval or periodicity. Finally, in block585, the access controller 100 receives parameters defining whatinformation is to be provided or recorded with each event. The method505 then ends.

Certain of the devices shown in the Figures include a computing system.The computing system includes a processor (CPU) and a system bus thatcouples various system components including a system memory such as readonly memory (ROM) and random access memory (RAM), to the processor.Other system memory may be available for use as well. The computingsystem may include more than one processor or a group or cluster ofcomputing system networked together to provide greater processingcapability. The system bus may be any of several types of bus structuresincluding a memory bus or memory controller, a peripheral bus, and alocal bus using any of a variety of bus architectures. A basicinput/output (BIOS) stored in ROM or the like, may provide basicroutines that help to transfer information between elements within thecomputing system, such as during start-up. The computing system furtherincludes data stores, which maintain a database according to knowndatabase management systems. The data stores may be embodied in manyforms, such as a hard disk drive, a magnetic disk drive, an optical diskdrive, tape drive, or another type of computer readable media which canstore data that are accessible by the processor, such as magneticcassettes, flash memory cards, digital versatile disks, cartridges,random access memories (RAM) and, read only memory (ROM). The datastores may be connected to the system bus by a drive interface. The datastores provide nonvolatile storage of computer readable instructions,data structures, program modules and other data for the computingsystem.

To enable human (and in some instances, machine) user interaction, thecomputing system may include an input device, such as a microphone forspeech and audio, a touch sensitive screen for gesture or graphicalinput, keyboard, mouse, motion input, and so forth. An output device caninclude one or more of a number of output mechanisms. In some instances,multimodal systems enable a user to provide multiple types of input tocommunicate with the computing system. A communications interfacegenerally enables the computing device system to communicate with one ormore other computing devices using various communication and networkprotocols.

The preceding disclosure refers to flowcharts and accompanyingdescriptions to illustrate the embodiments represented in FIGS. 5A-5C.The disclosed devices, components, and systems contemplate using orimplementing any suitable technique for performing the stepsillustrated. Thus, FIGS. 5A-5C are for illustration purposes only andthe described or similar steps may be performed at any appropriate time,including concurrently, individually, or in combination. In addition,steps in the flowcharts may take place simultaneously and/or indifferent orders than as shown and described. Moreover, the disclosedsystems may use processes and methods with additional, fewer, and/ordifferent steps.

Embodiments disclosed herein can be implemented in digital electroniccircuitry, or in computer software, firmware, or hardware, including theherein disclosed structures and their equivalents. Some embodiments canbe implemented as one or more computer programs, i.e., one or moremodules of computer program instructions, encoded on computer storagemedium for execution by one or more processors. A computer storagemedium can be, or can be included in, a computer-readable storagedevice, a computer-readable storage substrate, or a random or serialaccess memory. The computer storage medium can also be, or can beincluded in, one or more separate physical components or media such asmultiple CDs, disks, or other storage devices. The computer readablestorage medium does not include a transitory signal.

The herein disclosed methods can be implemented as operations performedby a processor on data stored on one or more computer-readable storagedevices or received from other sources.

A computer program (also known as a program, module, engine, software,software application, script, or code) can be written in any form ofprogramming language, including compiled or interpreted languages,declarative or procedural languages, and it can be deployed in any form,including as a stand-alone program or as a module, component,subroutine, object, or other unit suitable for use in a computingenvironment. A computer program may, but need not, correspond to a filein a file system. A program can be stored in a portion of a file thatholds other programs or data (e.g., one or more scripts stored in amarkup language document), in a single file dedicated to the program inquestion, or in multiple coordinated files (e.g., files that store oneor more modules, sub-programs, or portions of code). A computer programcan be deployed to be executed on one computer or on multiple computersthat are located at one site or distributed across multiple sites andinterconnected by a communication network.

What is claimed:
 1. A processor-implemented method of controlling accessto a physical area comprising a plurality of doors and a plurality ofaccess controllers, the method comprising: at a processor, receivingcredential and policy directory information to configure each accesscontroller of the plurality of access controllers to allowself-provisioning of each access controller through periodic, automatedquery of a credential and policy directory by at least one accesscontroller of the plurality of access controllers, wherein receiving thecredential and policy directory information to configure includesconfiguring each access controller by: configuring a first accesscontroller of the plurality of access controllers through a userinterface; and using peer-to-peer communications between the configuredfirst access controller and any unconfigured access controller among theplurality of access controllers to automatically replicating theconfiguration in each remaining access controller of the plurality ofaccess controllers; acquiring from the credential and policy directory,using the processor, credential and policy information for one or moreindividuals who may require access to the physical area; storing in alocal cache in each access controller, accessible by the processor, theacquired credential and policy information; receiving, at the processor,an access request from a sensing device, to allow an individual amongthe one or more individuals access to the physical area through a doorof the plurality of doors, the door associated with an access controllerof the plurality of access controllers; comparing, by the processor, theaccess request to the credential and policy information in the localcache of the access controller associated with the door; when thecomparison indicates a match, granting the individual access to thephysical area; on a log in attempt to a computer within the physicalarea by the individual: determining if an entry signal corresponding tothe individual originated from the access controller associated with thedoor; and denying the individual access to any computer within thephysical area in absence of the entry signal.
 2. The method of claim 1,wherein the credential and policy directory information comprises a URLof the credential and policy directory.
 3. The method of claim 1,wherein the access request comprises credential and policy informationfrom the sensing device to compare to the credential and policyinformation in the local cache of the access controller associated withthe door.
 4. The method of claim 1, wherein the comparison requires anexact match between information in the access request and correspondingcredential and policy information in the local cache of the accesscontroller associated with the door.
 5. The method of claim 1, furthercomprising: receiving, by the processor, an address of an event monitor;receiving event definition information; and configuring each accesscontroller to monitor for and collect events according to the receivedevent definition information.
 6. The method of claim 5, furthercomprising: configuring each access controller to buffer and report thecollected events to the event monitor.
 7. The method of claim 6, whereinthe processor receives an address of each of a plurality of eventmonitors, and wherein the method comprises simultaneously sending thecollected events to multiple ones of the plurality of event monitors. 8.The method of claim 7, wherein an event comprises one of: a door open, adoor closed, a door stuck open, a door locked, and a door unlocked. 9.The method of claim 1, wherein when the comparison indicates no match,the method comprises sending the access request to the credential andpolicy directory to determine a match.
 10. The method of claim 1,further comprising automatically updating the credential and policyinformation in the local cache of each access controller on a periodicbasis.
 11. The method of claim 10, wherein the updating is performedcontinually in real-time.
 12. A system for controlling access byindividuals to a physical area comprising a plurality of doors and aplurality of access controllers, the system comprising: the plurality ofaccess controllers, wherein each access controller of the plurality ofaccess controllers includes a computer-readable storage medium, thecomputer-readable storage medium comprising machine instructions thatwhen executed by the hardware processor, causes the hardware processorto: configure each access controller to receive: credential and policydirectory information, from a remote directory, to allowself-provisioning of at least one access controller of the plurality ofaccess controllers through periodic, automated query of the remotedirectory by the at least one access controller; and credential andpolicy information from a credential and policy directory for one ormore individuals who may require access to the physical area; whereinthe machine instructions further cause the hardware processor toconfigure each access controller by configuring a first accesscontroller of the plurality of access controllers through a userinterface, and using peer-to-peer communications between the configuredfirst access controller and any unconfigured access controller among theplurality of access controllers to automatically replicating theconfiguration in each remaining access controller of the plurality ofaccess controllers; store in a local cache in each access controller,accessible by the hardware processor, the received credential and policydirectory information from the remote directory and the receivedcredential and policy information from the credential and policydirectory for the one or more individuals; receive an access requestfrom a sensing device to allow an individual access to the physical areathrough a door of the plurality of doors, the door associated with anaccess controller of the plurality of access controllers; compare theaccess request to the credential and policy information in the localcache of the access controller associated with the door; when thecomparison indicates a match, grant the individual access to thephysical area; configure the plurality of access controller to monitorfor and collect events related to the plurality of doors and to monitorfor entry signals and exit signals corresponding to the one or moreindividuals; on a log in attempt to a computer within the physical areaby the individual: determining if an entry signal corresponding to theindividual originated from the access controller associated with thedoor; and denying the individual access to any computer within thephysical area in absence of the entry signal.
 13. The system of claim12, wherein the credential and policy directory information comprises aURL of the credential and policy directory, and wherein the credentialand policy directory and the processor communicate using TCP/IPprotocols.
 14. The system of claim 12, wherein the hardware processorconfigures the plurality of access controllers to monitor for andcollect events according to pre-defined event definition information.15. The system of claim 12, further comprising: a buffer to store thecollected events.
 16. The system of claim 12, wherein the hardwareprocessor receives an address of each of a plurality of event monitors,and wherein the processor simultaneously sends the events to multipleones of the plurality of event monitors.
 17. A processor-implementedmethod for configuring each access controller among a plurality ofaccess controllers to control access by individuals to physical areassecured by plurality of doors, each access controller among theplurality of access controllers being associated with at least one dooramong the plurality of doors, the method further being configured tocontrol access to computers within the physical areas, the methodcomprising: receiving, by a processor, a credentials and policydirectory address from which the processor obtains credential and policyinformation for the individuals requiring access to the physical areas;receiving a destination address for the credential and policyinformation; establishing a periodicity for acquiring the credential andpolicy information; acquiring the credential and policy information forthe individuals requiring access to the physical areas; automaticallyupdating the credential and policy information for the individualsrequiring access to the physical areas at the established periodicity byconfiguring a first access controller of the plurality of accesscontrollers through a user interface as the established periodicity, andusing peer-to-peer communications between the configured first accesscontroller and any unconfigured access controller among the plurality ofaccess controllers to automatically replicating the configuration ineach remaining access controller of the plurality of access controllers;configuring the plurality of access controllers to monitor for andcollect events related to the plurality of doors and to monitor forentry signals and exit signals from the plurality of access controllerscorresponding to the individuals; on a log in attempt to a computerwithin a physical area among the physical areas by an individual amongthe individuals: determining if an entry signal corresponding to theindividual originated from an access controller associated with any doorsecuring the physical area; and denying the individual access to thecomputer within the physical area in absence of the entry signal.